CVE-2020-15243

Published: Oct 8, 2020Modified: Jun 17, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Affected versions of Smartstore have a missing WebApi Authentication attribute. This vulnerability affects Smartstore shops in version 4.0.0 & 4.0.1 which have installed and activated the Web API plugin. Users of Smartstore 4.0.0 and 4.0.1 must merge their repository with 4.0.x or overwrite the file SmartStore.Web.Framework in the */bin* directory of the deployed shop with this file. As a workaround without updating uninstall the Web API plugin to close this vulnerability.

Affected (2)

Products: Smartstore: Smartstore

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Smartstore Smartstore	Version 4.0.0
Smartstore Smartstore	Version 4.0.1

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References (2)

https://github.com/smartstore/SmartStoreNET/security/advisories/GHSA-8g9m-jx26-qp4h

Source: security-advisories@github.com

Third Party Advisory

https://github.com/smartstore/SmartStoreNET/security/advisories/GHSA-8g9m-jx26-qp4h

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.